Correction. Even though i compile against fpic version of openssl imap-login binnary is still dynamicly linked :/
root@sv1 [/usr/dovecot-2.2.33.2/libexec/dovecot]# ldd imap-login|grep ssl libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007f1428559000)
I've put new libssl.so.1.0.0 in this location from /usr/openssl-1.0.2l-fpic/lib/
# strings /lib64/libssl.so.1.0.0|grep openssl -i
SSLv3 part of OpenSSL 1.0.2l 25 May 2017 TLSv1 part of OpenSSL 1.0.2l 25 May 2017 DTLSv1 part of OpenSSL 1.0.2l 25 May 2017
looks good.
and (obviously) restarted dovecot. Outside tester https://filippo.io/CVE-2016-2107 still says my imap on port 993 is vournable to CVE-2016-2107. Weird.
I wish dovecot could print out version of openssl he is using on runtime (for example to maillog, every time he starts). For example apache can do it (and many other programs). Its a must have feature in situation where openssl is dynamicly linked at startup (as using env LD_LIBRARY_PATH will make it link somewhere else for example).
2017-10-27 14:35 GMT+02:00 krzf83@gmail.com krzf83@gmail.com:
You can check with ldd /usr/lib/dovecot/imap-login (or libexec)
No, I cant because I'm compiling dovecot with openssl compiled as FPIC which means that its not getting dynamicly linked.
When I try to compile against non-fpic openssl I just got
/usr/openssl-1.0.2l/lib/libssl.a(s23_srvr.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
2017-10-27 8:33 GMT+02:00 Aki Tuomi aki.tuomi@dovecot.fi:
On 27.10.2017 00:53, krzf83@gmail.com wrote:
I got multiple versions of openssl in my system. I compile dovecot with PKG_CONFIG_PATH=/usr/openssl-1.0.2l-fpic/lib/pkgconfig ./configure
How do I check which version of openssl got compiled in? configure script does not show version. There seem to be no way to check it in compiled binary (?)
My dovecot is still seen vulnerable by tls testing tools so I'm guessing wrong version of openssl got compiled it but there seem to be no way to check it. You can check with ldd /usr/lib/dovecot/imap-login (or libexec)
Just check which SSL library has been linked to it.
Aki